Here is a snippet of what I'm working on. Please let me know if I need to post more:
<% # LANGUAGE = VBScript ENABLESESSIONSTATE = False %>
<!--#include file="Connections/ConnectionString.asp" -->
<!--#include file="SqlCheckInclude.asp" -->
<%
Dim LoginTest
LoginTest = ""
If Request.QueryString("Action") = "Login" Then
Dim IsUserNameLocked
Set IsUserNameLocked = Server.CreateObject("ADODB.Recordset")
IsUserNameLocked.ActiveConnection = ConnectionString
sProUserName = Request.Form("ProUserName")
sanitizedProUserName = "'" & Replace(sProUserName, "'", "''") & "'"
Response.Write(sanitizedProUserName)
Response.End()
IsUserNameLocked.Source = "SELECT IL_Date, IL_Timer, IL_NumOfTimes, ProUserName FROM PROFILE WHERE ProUserName =" & sanitizedProUserName
IsUserNameLocked.CursorType = 2
IsUserNameLocked.CursorLocation = 3
IsUserNameLocked.LockType = 3
IsUserNameLocked.Open
if not IsUserNameLocked.eof then
intNumOfIncorrectLogin = IsUserNameLocked("IL_NumOfTimes")
InCorrectLoginDate = IsUserNameLocked("IL_Date")
InCorrectLoginTime = IsUserNameLocked("IL_Timer")
end if
IsUserNameLocked.close
set IsUserNameLocked = nothing
end if
%>
I attempted to convert it to:
If Request.QueryString("Action") = "Login" Then
Dim IsUserNameLocked
Set IsUserNameLocked = Server.CreateObject("ADODB.Recordset")
IsUserNameLocked.ActiveConnection = ConnectionString
strSql = "SELECT IL_Date, IL_Timer, IL_NumOfTimes, ProUserName FROM PROFILE WHERE ProUserName = ?"
strSearch = Request.Form("ProUserName")
set objCommand = Server.CreateObject("ADODB.Command")
objCommand.ActiveConnection = ConnectionString
objCommand.CommandText = strSql
objCommand.Parameters(0).value = strSearch
IsUserNameLocked.results = objCommand.Execute()
IsUserNameLocked.CursorType = 2
IsUserNameLocked.CursorLocation = 3
IsUserNameLocked.LockType = 3
IsUserNameLocked.Open
end if
But this did not work. I have been searching online for the past few hours attempting to find a method that properly works, but I'm getting no functioning results. If someone could please help with an implementation that properly parameterizes and protects against SQL injection, I would be extremely grateful.
According to the docs, you need to .Append a parameter to a Command's parameter collection. Evidence:
>> Set oCmd = CreateObject("ADODB.Command")
>> WScript.Echo "# parameters", oCmd.Parameters.Count
>> oCmd.Parameters(0).Value = "no such thing"
>>
# parameters 0
Error Number: 3265
Error Description: Item cannot be found in the collection corresponding to the requested name or ordinal.
Do you use a global On Error Resume Next?
Related
I have form page that collects data. The user clicks SUBMIT, which goes to a "post page. At the end of this page is the redirect code I am using.
response.redirect( "test.asp?ChecklistID=" + ChecklistID )
For some reason, the result is this.
/test.asp?ChecklistID=4784,%204784
Why is this returning in TWO ID's? I only have ONE record in the 'results' table. And it is '4784'.
Adding the code
<%
'Option Explicit
Dim SQLStmt, sql, RS, ChecklistID, Location, ChecklistDate, Driveup,
ConnectString, conn, objconn
Dim weeds, parking_lot, sidewalk, windows, exterior_trash, door_clean
Dim mats_clean, Notes_page1
Location = Request("Location")
ChecklistDate = Request("ChecklistDate")
Driveup = Request("Driveup")
ChecklistID = Request("ChecklistID")
weeds = Request("weeds")
parking_lot = Request("parking_lot")
sidewalk = Request("sidewalk")
windows = Request("windows")
exterior_trash = Request("exterior_trash")
door_clean = Request("door_clean")
mats_clean = Request("mats_clean")
Notes_page1 = Request("Notes_page1")
ConnectString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" &
Server.MapPath("../xyz/mydatabase.mdb")
Set conn = Server.CreateObject("ADODB.Connection")
conn.open ConnectString
SQLStmt = "SELECT * FROM Results WHERE ChecklistID =" & ChecklistID & " ; "
Set RS = Server.CreateObject("ADODB.Recordset")
RS.open "Results", conn, 3, 3
RS.Update
RS("ChecklistDate") = ChecklistDate
RS("Driveup") = Driveup
RS("weeds") = weeds
RS("parking_lot") = parking_lot
RS("sidewalk") = sidewalk
RS("windows") = windows
RS("exterior_trash") = exterior_trash
RS("door_clean") = door_clean
RS("mats_clean") = mats_clean
RS("Notes_page1") = Notes_page1
RS.Update
RS.close
set RS = nothing
conn.close
set conn = nothing
response.redirect( "test.asp?ChecklistID=" + ChecklistID )
%>
The browser might be retaining some history with response.redirect. Try using Server.Transfer. Or, if it's the same page, you might not have to re-add the query string.
Solved
I had the same hidden field in there twice causing the issue.
I have a piece of code that works and do:
Reads a Database , reads a template (template.htm), put data in a new file based in the template (evento.htm), read that file and send an email with the content of the file generated. Code below (I cut the database part):
<%
NomeDoTemplate= "template.htm"
CaminhoDoTemplate= Server.MapPath(NomeDoTemplate)
CaminhoDoTemplateAjustado= Mid(CaminhoDoTemplate,1,InStrRev(CaminhoDoTemplate,"\"))
NomeDoArquivo= "evento.htm"
CaminhoDoArquivo= Server.MapPath(NomeDoArquivo)
Set ManipulacaoDeArquivo= Server.CreateObject("Scripting.FileSystemObject")
Set ObjetoArquivo= ManipulacaoDeArquivo.OpenTextFile(CaminhoDoTemplate, 1)
DadosDoObjetoArquivo= ObjetoArquivo.ReadAll
ObjetoArquivo.Close
DadosDoObjetoArquivo= Replace(DadosDoObjetoArquivo, "[Cliente]", Um)
Set ObjetoArquivo= ManipulacaoDeArquivo.CreateTextFile(CaminhoDoTemplateAjustado & NomeDoArquivo)
ObjetoArquivo.Write(DadosDoObjetoArquivo)
Set ObjetoArquivo= ManipulacaoDeArquivo.OpenTextFile(CaminhoDoTemplateAjustado & NomeDoArquivo, 1)
DadosDoObjetoArquivo= ObjetoArquivo.ReadAll
Dim objCDOSYSMail
Dim objCDOSYSCon
Set objCDOSYSMail = Server.CreateObject("CDO.Message")
Set objCDOSYSCon = Server.CreateObject ("CDO.Configuration")
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.server.com"
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/sendusername") = "user_id"
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "password"
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 30
objCDOSYSCon.Fields.update
Set objCDOSYSMail.Configuration = objCDOSYSCon
objCDOSYSMail.From = "ABC <abc#server.com>"
objCDOSYSMail.To = "sender#gmail.com"
objCDOSYSMail.Subject = "Contato"
objCDOSYSMail.HTMLBody= DadosDoObjetoArquivo
objCDOSYSMail.Send
Set objCDOSYSMail = Nothing
Set objCDOSYSCon = Nothing
%>
I would like to make this simple, skiping the step of generating the file in the disk. I would like to:
Read a Database, reads a template, put data in memory, send the mail with that data in memory.
Thanks
If I see it correctly, all you have to do is skip the part where you save the file and re-read it... I have refactored your code, gave the variables some english names so I could see what's going on, and commented out the lines you don't need:
<%
Dim TemplateName : TemplateName = "template.htm"
Dim TemplateFullPath : TemplateFullPath = Server.MapPath(TemplateName)
Dim TemplatePath : TemplatePath = Mid(TemplateFullPath,1,InStrRev(TemplateFullPath,"\"))
Dim ArchiveName : ArchiveName = "evento.htm"
Dim ArchiveFullPath : ArchiveFullPath = Server.MapPath(ArchiveName)
Dim FSO, TemplateFile, TemplateText
Set FSO = Server.CreateObject("Scripting.FileSystemObject")
Set TemplateFile = FSO.OpenTextFile(TemplateFullPath, 1)
TemplateText = TemplateFile.ReadAll()
TemplateText = Replace(TemplateText, "[Cliente]", Um)
TemplateFile.Close()
' Really simple - to do this in-memory, simply don't save and re-read the file....
' Set TemplateFile = FSO.CreateTextFile(TemplatePath & ArchiveName)
' TemplateFile.Write(TemplateText)
' Set TemplateFile = FSO.OpenTextFile(TemplatePath & ArchiveName, 1)
' TemplateText = TemplateFile.ReadAll
Set TemplateFile = Nothing
Set FSO = Nothing
Dim objCDOSYSMail, objCDOSYSCon
Set objCDOSYSMail = Server.CreateObject("CDO.Message")
Set objCDOSYSCon = Server.CreateObject ("CDO.Configuration")
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.server.com"
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/sendusername") = "user_id"
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "password"
objCDOSYSCon.Fields("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 30
objCDOSYSCon.Fields.update
Set objCDOSYSMail.Configuration = objCDOSYSCon
objCDOSYSMail.From = "ABC <abc#server.com>"
objCDOSYSMail.To = "sender#gmail.com"
objCDOSYSMail.Subject = "Contato"
objCDOSYSMail.HTMLBody= TemplateText
objCDOSYSMail.Send
Set objCDOSYSMail.Configuration = Nothing
Set objCDOSYSMail = Nothing
Set objCDOSYSCon = Nothing
%>
Hope this helps,
Erik
you could use several techniques:
write your own stringbuilder class
use the .net system.io.stringwriter class (yes you can use this from classic asp)
use the adodb.stream object
example stringwriter:
set sw = server.createObject("system.io.stringwriter")
sw.write_12( DadosDoObjetoArquivo )
objCDOSYSMail.HTMLBody = sw.getStringBuilder().toString()
example (adodb.stream):
set stream = server.createobject("ADODB.Stream")
with stream
.Open
.WriteText DadosDoObjetoArquivo
end with
objCDOSYSMail.HTMLBody = stream.ReadText
stream.Close
I have to call recordCount function to get the count of recordset.
But once I call recordCount function, the recordset is out of control.
...
Dim objRootDSE, strDNSDomain, adoCommand, adoConnection
Set adoCommand = CreateObject("ADODB.Command")
'Set adoRecordset = adoCommand.Execute
Set adoRecordset = Server.CreateObject ("ADODB.Recordset")
adoRecordset.cursorType = 3
adoRecordset.CursorLocation = adUseClient
adoRecordset = adoCommand.Execute
...
totalcnt = adoRecordset.recordCount
If totalcnt > 0 Then
...
Do until adoRecordset.EOF
' Retrieve values... But it fails because it seems adoRecordset is in EOF
...
So I use movefirst and try to retrieve values.
If adoRecordset.recordCount > 0 Then
adoRecordset.movefirst
...
But it occurs an error(below is translated by google)
ADODB.Recordset 오류 '800a0bcd'
BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
If I didn't call recordCount, there's no problem. But I should know the count of record.
The whole code is :
<%
'On Error Resume next
Dim objRootDSE, strDNSDomain, adoCommand, adoConnection
Dim strBase, strFilter, strAttributes, strQuery, adoRecordset
Dim strDN, strUser, strPassword, objNS, strServer
Dim name,company,physicalDeliveryOfficeName
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_SERVER_BIND = 0
' Specify a server (Domain Controller).
strServer = "my_ad_server_domain"
' Specify or prompt for credentials.
strUser = "my_account"
strPassword = "my_passwrd"
' Determine DNS domain name. Use server binding and alternate
' credentials. The value of strDNSDomain can also be hard coded.
Set objNS = GetObject("LDAP:")
Set objRootDSE = objNS.OpenDSObject("LDAP://" & strServer & "/RootDSE", _
strUser, strPassword, _
ADS_SERVER_BIND Or ADS_SECURE_AUTHENTICATION)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
' Use ADO to search Active Directory.
' Use alternate credentials.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Properties("User ID") = strUser
adoConnection.Properties("Password") = strPassword
adoConnection.Properties("Encrypt Password") = True
adoConnection.Properties("ADSI Flag") = ADS_SERVER_BIND _
Or ADS_SECURE_AUTHENTICATION
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire domain. Use server binding.
strBase = "<LDAP://" & strServer & "/" & strDNSDomain & ">"
' Search for all users.
strFilter = "(&(objectCategory=user)(ExADObjectStatus=10)(samaccountname=*"&"my_search_value"&"*))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "name,company,physicalDeliveryOfficeName"
' Construct the LDAP query.
strQuery = strBase & ";" & strFilter & ";" _
& strAttributes & ";subtree"
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 60
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
if not adoRecordset.EOF then
totalcnt = adoRecordset.recordCount
If totalcnt > 0 Then
Response.write 111
Do until adoRecordset.EOF
name = adoRecordset.Fields("name").Value
company = adoRecordset.Fields("company").Value
physicalDeliveryOfficeName = adoRecordset.Fields("physicalDeliveryOfficeName").Value
Response.Write name & "<br/>"
Response.Write company & "<br/>"
Response.Write physicalDeliveryOfficeName
adoRecordset.MoveNext
Loop
end if
end if
' Clean up.
adoRecordset.Close
adoConnection.Close
%>
It shows only one result of record.
You can try to face the problem from a different angle. Instead of trying to fix the internal recordCount property (which you can't) simply count the records yourself:
totalcnt = 0
Do until adoRecordset.EOF
totalcnt = totalcnt + 1
adoRecordset.MoveNext
Loop
If totalcnt>0 Then
adoRecordset.MoveFirst
Do until adoRecordset.EOF
name = adoRecordset.Fields("name").Value
'...
adoRecordset.MoveNext
Loop
End If
Update: Looks like in that specific case, the MoveFirst just fails, maybe because it's LDAP and not ordinary query from a database. To bust this once and for all, you can populate your own collection when iterating the records then use that collection as much as you like:
Dim oData, oField, tempArray
Set oData = Server.CreateObject("Scripting.Dictionary")
totalcnt = 0
For Each oField In adoRecordset.Fields
oData.Add oField.Name, Array()
Next
Do until adoRecordset.EOF
For Each oField In adoRecordset.Fields
tempArray = oData(oField.Name)
ReDim Preserve tempArray(UBound(tempArray) + 1)
tempArray(UBound(tempArray)) = oField.Value
oData(oField.Name) = tempArray
Next
totalcnt = totalcnt + 1
adoRecordset.MoveNext
Loop
adoRecordset.Close
Dim x
If totalcnt>0 Then
Response.Write("found total of " & totalcnt & " records<br />")
For x=0 To totalcnt-1
name = oData("name")(x)
company = oData("company")(x)
physicalDeliveryOfficeName = oData("physicalDeliveryOfficeName")(x)
Response.Write name & "<br/>"
Response.Write company & "<br/>"
Response.Write physicalDeliveryOfficeName
Next
End If
As the error indicates, the recordCount fails if you have no records in the recordset.
You can test for this before your code block. Try this:
if not adoRecordset.EOF then
totalcnt = adoRecordset.recordCount
If totalcnt > 0 Then
...
Do while not adoRecordset.EOF
...
Loop
end if
end if
edit: Corrected the loop to test for not adoRecordset.eof
I've written this script which pulls the sAMAccountName of the specified user from the AD via VBscript, but it seems to only work within my own OU group. Is this due to a permissions restriction within my company? Or is this due to something i'm not seeing in the code?
Dim result
result = getsAMAccountName("Some Name")
msgbox result
Function getsAMAccountName(name)
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strsAM, objUser
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
msgbox strDNSDomain
strBase = "<LDAP://" & strDNSDomain & ">"
'be sure passed var usersel is referenced properly
strFilter = "(cn=" & name & ")"
strAttributes = "distinguishedName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
Do Until adoRecordset.EOF
strsAM = adoRecordset.Fields("distinguishedName").Value
Set objUser = GetObject("LDAP://" & strsAM)
getsAMAccountName = objUser.sAMAccountName
adoRecordset.MoveNext
Loop
adoRecordset.Close
adoConnection.Close
End Function
Does it work when you specify the OU in your GetObject call?
GetObject("LDAP://OU=YourOU,DC=YourDomain,DC=com")
From this question Querying Active Directory using VBScript
Ended up being permissions, be sure to include/specify a processID and PW when moving LDAP pulls to asp classic... and avoid asp classic
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
With adoConnection
.Properties("User ID") = ' Process ID goes
.Properties("Password") = 'password
.Properties("encrypt password") = True
End With
adoConnection.Open "Active Directory Provider"
Set adoCommand = CreateObject("ADODB.Command")
Set adoCommand.ActiveConnection = adoConnection
I'm trying to update an NText field in SQL 2000 using Classic ASP. Here is the code I'm using to do it. Any one have any pointers on how to maybe speed it up? Or am I stuck with it.
set Cnn = server.CreateObject("ADODB.connection")
Cnn.ConnectionString = Application("Cnn_ConnectionString")
Cnn.open
set rs = server.CreateObject("ADODB.Recordset")
rs.CursorType = adoOpenDynamic
rs.LockType = adLockOptimistic
conChunkSize = 100
rs.Open "MyTable",Cnn, , , adCmdTable
rs.Find "MyDataId=" & request("DataId"),,adSearchForward,1
lngOffset = 0
lngLogoSize = len(request("txtMyEntry"))*2
Do while lngOffset < lngLogoSize
varChunk = LeftB(RightB(request("txtMyEntry"), lngLogoSize - _
lngOffset), conChunkSize)
rs("MyDataField").AppendChunk varChunk
lngOffset = lngOffset + conChunkSize
Loop
rs.Update
rs.Close
Oh and this code is almost verbatim from the MSDN site.
First I would eliminate the chunking which is so 90's.
Then there is:-
rs.Open "MyTable",Cnn, , , adCmdTable
rs.Find "MyDataId=" & request("DataId"),,adSearchForward,1
Yikes! You'd like to think that ADO intelligently asked SQL server to find that record based on the indexed MyDataId field but bet it doesn't. Its most likely pulling the entire contents of the table across until the record is arrived at.
This really should be done with an UPDATE T-SQL statement and an ADODB.Command object.
Set cmd = Server.CreateObject("ADODB.Command")
cmd.ActiveConnection = cnn
cmd.CommandType = 1 '' // adCmdText
cmd.CommandText = "UPDATE MyTable SET MyDataField = ? WHERE MyDataId = ?"
cmd.Parameters.Append cmd.CreateParameter("dataField", 203, 1, Len(txtMyEntry), txtMyEntry) '' // 203 = asLongVarWChar, 1 = adParamInput
cmd.Parameters.Append cmd.CreateParameter("id", 3, 1, , CInt(DataID)) '' // 3 = adInteger
cmd.Execute